Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server hacked using pam_fprintd.so?

Discussion in 'Security' started by kalexanakis, Jun 7, 2017.

  1. kalexanakis

    kalexanakis Member

    Joined:
    Feb 3, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    Hello

    Yesterday for about 10 minutes no services where working at a cPanel server of mine. Ι immediately investigated the issue and I found out that an attacked managed to have full access to the server as root using sudo! At /var/log/secure :

    Code:
    ....
Jun  6 13:21:52 SERVERNAME sshd[13966]: Accepted password for firefart from XXX.XXX.XXX port 28953 ssh2
Jun  6 13:21:52 SERVERNAME sshd[13966]: pam_unix(sshd:session): session opened for user firefart by (uid=0)
...
Jun  6 13:24:25 SERVERNAME su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun  6 13:24:25 SERVERNAME su: PAM adding faulty module: /lib64/security/pam_fprintd.so
Jun  6 13:24:25 SERVERNAME su: pam_unix(su:session): session opened for user root by firefart(uid=0)
...
Jun  6 13:29:13 SERVERNAME sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun  6 13:29:13 SERVERNAME sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
Jun  6 13:29:13 SERVERNAME sudo:     root : TTY=pts/2 ; PWD=/home/HACKEDWEBSITE/public_html/modules/news ; USER=root ; COMMAND=/usr/sbin/useradd -ou 0 -g 0 darkangel
Jun  6 13:29:13 SERVERNAME useradd[23620]: new user: name=darkangel, UID=0, GID=0, home=/home/darkangel, shell=/bin/bash
....
Jun  6 13:32:55 SERVERNAME sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun  6 13:32:55 SERVERNAME sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
Jun  6 13:32:55 SERVERNAME sudo:     root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/cat /home/HACKEDWEBSITE/public_html/modules/news/
....
Jun  6 13:36:54 SERVERNAME sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun  6 13:36:54 SERVERNAME sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
Jun  6 13:36:54 SERVERNAME sudo:     root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/rm /root/.bash_history
...

    It seems that the attacker managed to create a user called "firefart", which he used to create a super-user "darkangel". Please note that HACKEDWEBSITE had no shell access checked at its account (none cPanel account has). Of course at the end the attacker cleared bash history for root.

    Server specs:
    - CENTOS 6.9 x86_64 standard
    - cPanel & WHM 64.0 (build 24)

    Has anybody an idea on how this may have happened?
     
    #1 kalexanakis, Jun 7, 2017
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,134
    Likes Received:
    365
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Kernel up to date? Google for the name firefart.

    If you're unsure on what to do next, you should probably hire a qualified SysAdmin to help you.
     
    #2 Infopro, Jun 7, 2017
    quizknows likes this.
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Most likely a kernel exploit if your kernel is not up to date. Even if a cpanel account has no shell access, you can still run shell commands as the user ID through a hacked PHP web application. A hacked web app should be considered to have the same privileges as a user connecting on SSH (of course jailed vhosts and stuff can effect this, but for the most part, php running as the user has the same privileges as a linux user at the shell).
     
    #3 quizknows, Jun 7, 2017
  4. kalexanakis

    kalexanakis Member

    Joined:
    Feb 3, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    Bad news: I though I got away with it after suspending offending account and updating kernel to latest version.

    I managed to login to the server as root and I saw that hacker managed to empty /var/log folder!
    Also, I cannot write files to /var/log folder as root making services incapable to start.

    Permittions of the folder are fine:
    drwxr-xr-x 8 root root 4096 Jun 23 19:35 log/

    How root can regain access to /var/log folder?
     
    #4 kalexanakis, Jun 23, 2017
  5. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    629
    Likes Received:
    94
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Your server is rooted, I wouldn't try and take it back, just reinstall the OS and restore backups.
     
    #5 Jcats, Jun 23, 2017
    kalexanakis likes this.
  6. kalexanakis

    kalexanakis Member

    Joined:
    Feb 3, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    Thanks mate. I have already started transferring accounts elsewhere, however I just need to know how root will be able to write at /var/log again. Root has already access permittions to manu other folders
     
    #6 kalexanakis, Jun 23, 2017
  7. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    629
    Likes Received:
    94
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Can you paste some of the actual errors that refer to writing to /var/log
     
    #7 Jcats, Jun 23, 2017
  8. kalexanakis

    kalexanakis Member

    Joined:
    Feb 3, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    for example
    touch maillog
    or
    sudo touch maillog
    in /var/log folder as root and i get
    permission denied
     
    #8 kalexanakis, Jun 23, 2017
  9. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    629
    Likes Received:
    94
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    ah can you show output of

    Code:
    grep root /etc/passwd
     
    #9 Jcats, Jun 23, 2017
(You must log in or sign up to post here.)
Loading...
Similar Threads - Server hacked using
  1. Clixer

    New Thread Apache crashes when the server load reaches 6%.

    Clixer, May 22, 2018 at 9:30 PM, in forum: Workarounds and Optimization
    Replies:
    1
    Views:
    2
    Clixer
    May 22, 2018 at 9:45 PM
  2. mayadesigns

    Unable to connect to local httpd server

    mayadesigns, May 22, 2018 at 11:25 AM, in forum: EasyApache
    Replies:
    2
    Views:
    41
    mayadesigns
    May 22, 2018 at 3:30 PM
  3. tholler

    After upgrade to V70 I can't send mail outside my server

    tholler, May 22, 2018 at 10:21 AM, in forum: E-mail Discussion
    Replies:
    2
    Views:
    35
    cPanelLauren
    May 22, 2018 at 2:39 PM
  4. inteldigital

    Using local email on remote server

    inteldigital, May 22, 2018 at 6:14 AM, in forum: E-mail Discussion
    Replies:
    1
    Views:
    23
    cPanelMichael
    May 22, 2018 at 1:24 PM
  5. willke

    SOLVED Configserver "deny list" listing IPs blacklisted by cPHulk Country blocks?

    willke, May 22, 2018 at 4:40 AM, in forum: Security
    Replies:
    2
    Views:
    30
    willke
    May 22, 2018 at 1:35 PM

Share This Page